Hi,
I would like to connect Keycloak to the DFN AAI. Essentially, they provide a WAYF (WAYF - Tools - Support - SWITCHaai - SWITCH “Where are you From”) which then redirects to SAML2 IDP of an academic institution. They call this “SAML Discovery Service” (SAMLDS).
I this supported in any way by Keycloak?
Best wishes,
Manuel
Hi,
You can add KC manually to DFN-AAI (both IdP and SP role will work). But there is no support for an automated processing of the DFN-AAI (or any other SAML2 based) federation metadata in KC. All you can do is to add the metadata-provided SPs or IdPs manually to your KC. Or you use a script or similar to dynamically configure the KC according to the DFN-metadata, using the admin rest API.
regards,
Matthias
Thanks for the reply. That’s what I do in the beginning.
I would probably have to write a new type of Authentication source to Keycloak in parallel to “Login with Google” that would resolve the SAMLDS/WAYF and then use the selected IDP, right?
This authentication source would have run the complete SAML authentication process or add and configure the DFN-AAI IdPs as identity providers in KC…
Hi @mbonn,
we are also trying to connect Keycloak to the DFN AAI. I read in other posts, that you already connected Keycloak to a Shibboleth IDP. I hope it’s okay that I hit you up here.
We are facing the issue that Keycloak provides SP metadata per IDP integration. The federation however expects a single SP, meaning only one set of SP metadata. Else we would have to register the Keycloak in the federation per federated IDP, which somehow destroy the whole idea of the federation.
Are we missing something? Did you find any solution for this?
Connecting to a single SAML2-IdP can easyly be done with the admin console. SAML SSO key rollover is an endless source of pain with Keycloak, but the other things work. That’s for a single IdP, hard-wired to Keycloak.
But there is no support for automated SAML-federation xml-metadata processing in Keycloak. Even semi-automated/scripted import by admin API is useless because of Keycloak’s generated SAML-Brokering-URLs are individually generated per IdP, they contain the IdP-Alias as part of the path in the ACS-URL (in my opinion, a fundamental design mistake of Keycloak’s SAML-brokering).
There is a fork of Keycloak which intergrates SAML federation functionality (GitHub - eosc-kc/keycloak: Open Source Identity and Access Management For Modern Applications and Services), but as far as I know, it is not integrated in the official Keycloak distribution.
So I think there is no solution with official Keycloak distribution. It cannot be registered as Service Provider in a SAML federation.